Mike Chapple is teaching professor of information technology at the University of Notre Dame’s Mendoza College of Business. The opinions expressed in this commentary are his own.
Over the course of a couple hours last week, we saw some of Twitter’s most highly followed accounts send out tweets hawking a Bitcoin scam. The attackers compromised the verified accounts belonging to Barack Obama, Joe Biden, Elon Musk, Kanye West and others and used them to promise millions of their followers that if they sent Bitcoin to a specific address, they’d receive double their money in return.
On the surface, this scam doesn’t appear to be all that sophisticated. Most of us would take one look at these tweets and immediately recognize that something was amiss. After all, Bitcoin scams are common on Twitter. The difference here was that they normally take place using relatively anonymous accounts, rather than those belonging to politicians, tech CEOs and cultural icons. The credibility of those accounts boosted the scam, with hundreds of people sending more than $100,000 in Bitcoin to the advertised wallet. That’s somewhat shocking, but we learned some more interesting details when we started to dig into this attack a little more.
First, the digital world may have gotten off easy last week. The attackers executed their scam in a clumsy fashion that immediately attracted the attention of the global media and Twitter’s security team. Twitter removed the offending tweets, blocked access to the affected accounts and restored normal operations.
There are some indications that this attack was more than just a Bitcoin scam. On Thursday, Twitter admitted that the attackers had also used their access to read the private direct messages of up to 36 users. It’s possible that more will come to light as the investigation unfolds.
What if the attackers had been more sophisticated in their execution? If they chose to send out more carefully designed tweets, they could have delayed detection of the attack and made a global impact. It’s also not difficult to imagine scenarios where the attackers could have sent out tweets that influenced national politics or moved financial markets, instead of convincing people to send Bitcoin in the hopes of making money.
There is only one place to lay the blame for this incident: right on Twitter’s doorstep. Twitter acknowledged that the attackers gained access to the company’s internal systems, where they were able to bypass many security controls.
If that’s the case, it demonstrates a stunning lack of internal security at Twitter. The tools leveraged by the attackers provided them with the ability to manipulate Twitter accounts by accessing internal systems and tools.
The broad availability of an internal tool that allows employees to take over any account is worrisome. These tools certainly make the lives of customer service representatives easier but, as we just learned, they also create significant risk. Uber learned this the hard way in 2014 when reports surfaced that employees had widespread access to the personal information of riders through the company’s internal “God view.”
Customer service teams need administrative tools to perform routine aspects of their jobs, but those tools must be carefully protected with strong security measures. They also need to be set up to automatically detect obvious cases of misuse such as, say, the same person simultaneously accessing the accounts of dozens of high-profile individuals and using those accounts to send out a Bitcoin scam.
No matter how you look at this situation, things don’t look good for Twitter’s internal security program. In order to regain the public trust, the company has a lot of work to do.